Full Disclosure mailing list archives
Advisory: SQL-Injection in CitrusDB
From: Maximillian Dornseif <dornseif () informatik rwth-aachen de>
Date: Mon, 14 Feb 2005 22:31:20 +0100
Advisory: SQL-Injection in CitrusDBA group of students at our lab called RedTeam found an SQL-Injection vulnerability in CitrusDB.
Details ======= Product: CitrusDB Affected Version: 0.3.6 (verified), probably <= 0.3.5, too Immune Version: none OS affected: all Security-Risk: low Remote-Exploit: no Vendor-URL: http://www.citrusb.org Vendor-Status: informedAdvisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 -004
Advisory-Status: publicCVE: CAN-2005-0410 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0410#)
Introduction ============ Description from vendor: "CitrusDB is an open source customer databaseapplication that uses PHP and a database backend (currently MySQL) to keep
track of customer information, services, products, billing, and customer service information." CitrusDB does not filter special characters (e.g. single quotes) from uploaded csv files. More Details ============In ./citrusdb/tools/importcc.php data from a previous uploaded csv file is
inserted into the mysql database but none of the values is filtered. Proof of Concept ================ A csv file with content ',,,,, makes the SQL-Query in ./citrusdb/tools/importcc.php fail. Workaround ========== Check csv files manually for single quotes before upload. Fix === n/a Security Risk ============= The security risk is rated low because only special users may upload csvfiles and with this SQL injection it is only possible to inject data that
could be easier injected directly through csv file. History ======= 2005-02-04 Email sent to author 2005-02-12 CVE number requested 2005-02-14 posted as CAN-2005-0410 RedTeam ======= RedTeam is a penetration testing group working at the Laboratory forDependable Distributed Systems at RWTH-Aachen University. You can find more
Information on the RedTeam Project at http://tsyklon.informatik.rwth-aachen.de/redteam/ -- Maximillian Dornseif, Dipl. Jur., CISSP Laboratory for Dependable Distributed Systems, RWTH Aachen University Tel. +49 241 80-21431 - http://md.hudora.de/
Attachment:
smime.p7s
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Advisory: SQL-Injection in CitrusDB Maximillian Dornseif (Feb 14)